Guard against codecinfo overflow
Bug: 21296336
Change-Id: I78be5141b3108142f12d7cb94839fa50f776d84a
diff --git a/media/libstagefright/MetaData.cpp b/media/libstagefright/MetaData.cpp
index 74234a6..7d867b7 100644
--- a/media/libstagefright/MetaData.cpp
+++ b/media/libstagefright/MetaData.cpp
@@ -272,7 +272,12 @@
mType = type;
allocateStorage(size);
- memcpy(storage(), data, size);
+ void *dst = storage();
+ if (!dst) {
+ ALOGE("Couldn't allocate %zu bytes for item", size);
+ return;
+ }
+ memcpy(dst, data, size);
}
void MetaData::typed_data::getData(
diff --git a/media/libstagefright/matroska/MatroskaExtractor.cpp b/media/libstagefright/matroska/MatroskaExtractor.cpp
index 4f0862c..9da835d 100644
--- a/media/libstagefright/matroska/MatroskaExtractor.cpp
+++ b/media/libstagefright/matroska/MatroskaExtractor.cpp
@@ -876,25 +876,38 @@
size_t offset = 1;
size_t len1 = 0;
while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) {
+ if (len1 > (SIZE_MAX - 0xff)) {
+ return ERROR_MALFORMED; // would overflow
+ }
len1 += 0xff;
++offset;
}
if (offset >= codecPrivateSize) {
return ERROR_MALFORMED;
}
+ if (len1 > (SIZE_MAX - codecPrivate[offset])) {
+ return ERROR_MALFORMED; // would overflow
+ }
len1 += codecPrivate[offset++];
size_t len2 = 0;
while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) {
+ if (len2 > (SIZE_MAX - 0xff)) {
+ return ERROR_MALFORMED; // would overflow
+ }
len2 += 0xff;
++offset;
}
if (offset >= codecPrivateSize) {
return ERROR_MALFORMED;
}
+ if (len2 > (SIZE_MAX - codecPrivate[offset])) {
+ return ERROR_MALFORMED; // would overflow
+ }
len2 += codecPrivate[offset++];
- if (codecPrivateSize < offset + len1 + len2) {
+ if (len1 > SIZE_MAX - len2 || offset > SIZE_MAX - (len1 + len2) ||
+ codecPrivateSize < offset + len1 + len2) {
return ERROR_MALFORMED;
}
